Applies To:

BIG-IP AAM

Overview: Configuring Acceleration with Web Application and Symmetric Optimization in a
Global Network

Operating symmetrically, the BIG-IP® acceleration functionality, using
both Web Application and Symmetric Optimization functionality, caches large objects
(approximately 100MB or larger) from origin web servers and delivers them directly to clients.
The BIG-IP device handles both static content and dynamic content, by processing HTTP responses,
including objects referenced in the response, and then sending the included objects as a single
object to the browser. This form of caching reduces server TCP and application processing,
improves web page loading time, and reduces the need to regularly expand the number of web
servers required to service an application.

Configuring BIG-IP acceleration across a WAN involves creation of a Sync-Only device group for
two or more devices across the WAN, creation and configuration of endpoints across the WAN,
creation of a parent folder for acceleration objects under /Common on each
device, configuration of one or more central BIG-IP devices, configuration of one or more remote
BIG-IP devices, and synchronization of all devices in the Sync-Only device group.

Deployment of BIG-IP Devices for Acceleration

Global network symmetric deployment

A global network that is configured for optimum acceleration typically uses Symmetric
Optimization for symmetric acceleration when objects are greater than 100MB. When objects
are less than 100MB, Symmetric Optimization is typically not used for symmetric
acceleration. Symmetric Optimization provides deduplication and adaptive compression
designed to optimize acceleration of larger objects.

To improve your end user's experience with downloading web-based applications (such as
accessing Microsoft SharePoint servers) from a remote office, you can deploy a pair of
BIG-IP systems. Deploying a BIG-IP system in a remote location stages content closer to the
end user, resulting in faster downloads for both web pages and documents. You can use this
implementation for Internet, intranet, and extranet applications.

You must configure two or more BIG-IP devices for symmetric optimization using an iSession
connection, that is, you must configure BIG-IP devices on both sides of the WAN.

A global symmetric deployment using an iSession connection

About symmetric request and response headers

In a global network that includes a symmetric deployment of remote and central BIG-IP® devices across a WAN, the remote BIG-IP receives a request and includes
an X-Client-WA header, which distinguishes the request to the central
BIG-IP, enabling the central BIG-IP to process the request, as necessary. When the central BIG-IP
receives a response for the origin web servers, it includes an
X-WA-Surrogate header in the response, which distinguishes the response to
the remote BIG-IP, which processes the response as necessary and removes the
X-WA-Surrogate header before sending the response to the client.

Working with Sync-Only device groups

One of the types of device groups that you can create is a Sync-Only device group. A
Sync-Only device group contains devices that synchronize configuration data with
one another, but their configuration data does not
fail over to other
members of the device group. A maximum of 32 devices is supported in a Sync-Only device
group.

A device in a trust domain can be a member of more than one Sync-Only device group. A device can also be a member of both a Sync-Failover group and a Sync-Only group.

A typical use of a Sync-Only device group is one in which you configure a device to synchronize
the contents of a specific folder to a different device group than to the device group to which
the other folders are synchronized.

What is device trust?

Before any BIG-IP® devices on a local network can synchronize
configuration data or fail over to one another, they must establish a trust relationship known as
device trust. Device trust between any two BIG-IP devices on the network is based on
mutual authentication through the signing and exchange of x509 certificates.

Devices on a local network that trust one another constitute a trust domain. A trust
domain is a collection of BIG-IP devices that trust one another and can therefore
synchronize and possibly fail over their BIG-IP configuration data, as well as exchange status
and failover messages on a regular basis. A local trust domain is a trust domain
that includes the local device, that is, the device you are currently logged in to. You can
synchronize a device's configuration data with either all of the devices in the local trust
domain, or to a subset of devices in the local trust domain.

Note: You can add devices to a local trust domain from a single device on the network.
You can also view the identities of all devices in the local trust domain from a single device in
the domain. However, to maintain or change the authority of each trust domain member, you must
log in locally to each device.

Illustration of Sync-Only device group configuration

You can use a Sync-Only device group to synchronize policy data in a specific folder across a local trust domain.

Device identity

The devices in a BIG-IP® device group use x509 certificates for mutual
authentication. Each device in a device group has an x509 certificate installed on it that the
device uses to authenticate itself to the other devices in the group.

Device identity is a set of information that uniquely identifies that device in
the device group, for the purpose of authentication. Device identity consists of the x509
certificate, plus this information:

Device name

Host name

Platform serial number

Platform MAC address

Certificate name

Subjects

Expiration

Certificate serial number

Signature status

Tip: From the Device Trust: Identity screen in the BIG-IP Configuration utility, you can view the x509 certificate installed on the local device.

Task summary

Perform these tasks to create a Sync-Only device group.

Defining an NTP server

Network Time Protocol (NTP) synchronizes the clocks on a network by means of a
defined NTP server. You can specify a list of IP addresses of the servers that you want
the BIG-IP system to use when updating the time on network systems.

In the Time Server Lookup List area, in the Address field, type the
IP address of the NTP that you want to add. Then, click Add.

Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP
server provides the information about your NTP server, then this field is automatically
populated.

Click Update.

Adding a device to the local trust domain

Verify that each BIG-IP® device that is to be part of a local
trust domain has a device certificate installed on it.

Follow these steps to log in to any BIG-IP®
device on the network and add one or more devices to the local system's local trust
domain.

Note: Any BIG-IP devices that you intend to add to a device group at a later
point must be members of the same local trust domain.

On the Main tab, click Device Management > Device Trust, and then either Peer List or
Subordinate List.

In the Peer Authority Devices or the Subordinate Non-Authority Devices area of
the screen, click Add.

Type a device IP address, administrator user name, and administrator password
for the remote BIG-IP® device with which you want to
establish trust. The IP address you specify depends on the type of BIG-IP
device:

If the BIG-IP device is a non-VIPRION device, type the management IP
address for the device.

If the BIG-IP device is a VIPRION device that is not licensed and
provisioned for vCMP, type the primary cluster management IP address for the
cluster.

If the BIG-IP device is a VIPRION device that is licensed and
provisioned for vCMP, type the cluster management IP address for the
guest.

If the BIG-IP device is an Amazon Web Services EC2 device, type one of
the Private IP addresses created for this EC2 instance.

Click Retrieve Device Information.

Verify that the displayed information is correct.

Click Finished.

After you perform this task, the local device and the device that you specified in
this procedure have a trust relationship and, therefore, are qualified to join a device
group.

Creating a Sync-Only device group

You perform this task to create a Sync-Only type of device group. When you create a
Sync-Only device group, the BIG-IP® system can then automatically synchronize certain
types of data such as security policies and acceleration applications and policies to
the other devices in the group, even when some of those devices reside in another
network. You can perform this task on any BIG-IP device within the
local trust domain.

On the Main tab, click Device Management > Device Groups.

On the Device Groups list screen, click Create.
The New Device Group screen opens.

Type a name for the device group, select the device group type
Sync-Only, and type a description for the device
group.

From the Configuration list, select
Advanced.

For the Members setting, select an IP address and host
name from the Available list for each BIG-IP device that
you want to include in the device group. Use the Move button to move the host
name to the Includes list.
The list shows any devices that are members of the device's local trust
domain.

For the Automatic Sync setting, select or clear the
check box:

Select the check box when you want the BIG-IP system to automatically
sync the BIG-IP configuration data whenever a config sync operation is
required. In this case, the BIG-IP system syncs the configuration data
whenever the data changes on any device in the device group.

Clear the check box when you want to manually initiate each config sync
operation. In this case, F5 networks recommends that you perform a config
sync operation whenever configuration data changes on one of the devices in
the device group.

For the Full Sync setting, select or clear the check
box:

Select the check box when you want all sync operations to be full syncs.
In this case, the BIG-IP system syncs the entire set of BIG-IP configuration
data whenever a config sync operation is required.

Clear the check box when you want all sync operations to be incremental
(the default setting). In this case, the BIG-IP system syncs only the
changes that are more recent than those on the target device. When you
select this option, the BIG-IP system compares the configuration data on
each target device with the configuration data on the source device and then
syncs the delta of each target-source pair.

If you enable incremental synchronization, the BIG-IP system might
occasionally perform a full sync for internal reasons. This is a rare occurrence
and no user intervention is required.

In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value.
This value specifies the total size of configuration changes that can reside
in the incremental sync cache. If the total size of the configuration changes
in the cache exceeds the specified value, the BIG-IP system performs a full sync
whenever the next config sync operation occurs.

Click Finished.

You now have a Sync-Only type of device group containing BIG-IP devices as
members.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync
are members of a device group and that device trust is established.

This task synchronizes the BIG-IP® configuration data from the
local device to the devices in the device group. This synchronization ensures that
devices in the device group operate properly. When
synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP
addresses only.

Important: You perform this task on either of the two
devices, but not both.

On the Main tab, click Device Management > Overview.

In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.
The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.

In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.

In the Sync Options area of the screen, select Sync Device to Group.

Click Sync.
The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.

Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Perform these tasks to accelerate HTTP traffic with a symmetric BIG-IP®.

Defining an NTP server

Network Time Protocol (NTP) synchronizes the clocks on a network by means of a
defined NTP server. You can specify a list of IP addresses of the servers that you want
the BIG-IP system to use when updating the time on network systems.

For the WA Applications setting, select an application
in the Available list and click
Enable.
The application is listed in the Enabled
list.

Click Update.

Acceleration is enabled through the BIG-IP application in the Web Acceleration
profile.

Creating a pool on a central BIG-IP device to process synchronized HTTP traffic

You can create a pool of web servers on a central BIG-IP device to process
synchronized HTTP requests across a global network.

Note: Skip this task if
you forward HTTP traffic to a single server or use a wildcard for the destination.

On the Main tab, click Local Traffic > Pools.
The Pool List screen opens.

Click Create.
The New Pool screen opens.

In the Name field, type a unique name for the
pool.

For the Health Monitors setting, from the
Available list, select the
http monitor, and click
<< to move the monitor to the
Active list.

From the Load Balancing Method list, select how the
system distributes traffic to members of this pool.
The default is Round Robin.

For the Priority Group Activation setting, specify how
to handle priority groups:

Select Disabled to disable priority groups. This
is the default option.

Select Less than, and in the Available
Members field type the minimum number of members that must
remain available in each priority group in order for traffic to remain
confined to that group.

Using the New Members setting, add each resource that
you want to include in the pool:

Type an IP address in the Address field.

Type 80 in the Service
Port field, or select HTTP from
the list.

(Optional) Type a priority number in the
Priority field.

Click Add.

Click Finished.

The new pool appears in the Pools list.

Creating a virtual server to manage HTTP traffic

You can create a virtual server to manage HTTP traffic as either a host virtual
server or a network virtual server.

On the Main tab, click Local Traffic > Virtual Servers.
The Virtual Server List screen opens.

Click the Create button.
The New Virtual Server screen opens.

In the Name field, type a unique name for the virtual server.

For the Destination setting, in the Address
field, type the IP address you want to use for the virtual server.
The IP address you type must be available and not in the loopback network.

In the Service Port field, type
80, or select HTTP from the
list.

From the HTTP Profile list, select
http.

From the HTTP Compression Profile list, select one of
the following profiles:

httpcompression

wan-optimized-compression

A customized profile

Optional: From the Web Acceleration Profile list, select one of
the following profiles:

optimized-acceleration

optimized-caching

webacceleration

A customized profile

From the Web Acceleration Profile list, select one of
the following profiles with an enabled application:

optimized-acceleration

optimized-caching

webacceleration

A customized profile

In the Resources area of the screen, from the Default Pool list,
select a pool name.

Click Finished.

The HTTP virtual server appears in the list of existing virtual servers on the
Virtual Server List screen.

Using Quick Start to set up iSession endpoints

You can view the Quick Start screen only after you have defined at least one VLAN
and at least one self IP on a configured BIG-IP® system that is
provisioned with Application Acceleration Manager™.

You can use the Quick Start screen to set up the iSession®
endpoints on a BIG-IP system. To optimize WAN traffic, you must configure the iSession
endpoints on the BIG-IP systems on both sides of the WAN.

In the WAN Self IP Address field, type the local
endpoint IP address, if it is not already displayed.
This IP address must be in the same subnet as a self IP address on the BIG-IP
system, and to make sure that dynamic discovery properly detects this endpoint,
the IP address must be the same as a self IP address on the BIG-IP
system.

Verify that the Discovery setting is set to
Enabled.
If you disable the Discovery setting, or discovery
fails, you must manually configure any remote endpoints and advertised
routes.

Specify the VLANs on which the virtual servers on this system receive incoming
traffic.

Option

Description

LAN VLANs

Select the VLANs that receive incoming LAN traffic destined for the
WAN.

WAN VLANs

Select the VLANs that receive traffic from the WAN through an iSession™ connection.

Click Apply.

You have now established the local endpoint for the iSession connection, and the
system automatically created a virtual server on this endpoint for terminating incoming
iSession traffic.

To complete the iSession connection, you must also set up the local endpoint on the
BIG-IP system on the other side of the WAN. When you set up the other local endpoint,
that system creates a virtual server for terminating traffic sent from this BIG-IP
system.

Adding a virtual server to advertised routes

You can add the IP address of a virtual server you created to intercept application
traffic to the list of advertised iSession® routes on the central
BIG-IP® system. This configuration tells the BIG-IP system in
the remote location that the iSession-terminating endpoint on the central BIG-IP system
can route traffic to the application server.

In the Address field, type the IP address of the virtual
server you created for accelerating application traffic.

In the Netmask field, type
255.255.255.255.

Click Finished.

The remote BIG-IP system now knows that the iSession-terminating endpoint on the
central BIG-IP system can route traffic to the application server.

Verify that the iSession profile on the iSession-terminating (endpoint) virtual
server is configured to target this virtual server. The default profile
isession, for which the default Target
Virtual setting is match all is appropriate, as
long as the Address setting for this virtual server is not a
wildcard (0.0.0.0).

Perform these tasks to accelerate HTTP traffic with a symmetric BIG-IP®.

Defining an NTP server

Network Time Protocol (NTP) synchronizes the clocks on a network by means of a
defined NTP server. You can specify a list of IP addresses of the servers that you want
the BIG-IP system to use when updating the time on network systems.

For the WA Applications setting, select an application
in the Available list and click
Enable.
The application is listed in the Enabled
list.

Click Update.

Acceleration is enabled through the BIG-IP application in the Web Acceleration
profile.

Creating a virtual server to manage HTTP traffic

You can create a virtual server to manage HTTP traffic as either a host virtual
server or a network virtual server.

On the Main tab, click Local Traffic > Virtual Servers.
The Virtual Server List screen opens.

Click the Create button.
The New Virtual Server screen opens.

In the Name field, type a unique name for the virtual server.

For the Destination setting, in the Address
field, type the IP address you want to use for the virtual server.
The IP address you type must be available and not in the loopback network.

In the Service Port field, type
80, or select HTTP from the
list.

From the HTTP Profile list, select
http.

From the HTTP Compression Profile list, select one of
the following profiles:

httpcompression

wan-optimized-compression

A customized profile

Optional: From the Web Acceleration Profile list, select one of
the following profiles:

optimized-acceleration

optimized-caching

webacceleration

A customized profile

From the Web Acceleration Profile list, select one of
the following profiles with an enabled application:

optimized-acceleration

optimized-caching

webacceleration

A customized profile

In the Resources area of the screen, from the Default Pool list,
select a pool name.

Click Finished.

The HTTP virtual server appears in the list of existing virtual servers on the
Virtual Server List screen.

Using Quick Start to set up iSession endpoints

You can view the Quick Start screen only after you have defined at least one VLAN
and at least one self IP on a configured BIG-IP® system that is
provisioned with Application Acceleration Manager™.

You can use the Quick Start screen to set up the iSession®
endpoints on a BIG-IP system. To optimize WAN traffic, you must configure the iSession
endpoints on the BIG-IP systems on both sides of the WAN.

In the WAN Self IP Address field, type the local
endpoint IP address, if it is not already displayed.
This IP address must be in the same subnet as a self IP address on the BIG-IP
system, and to make sure that dynamic discovery properly detects this endpoint,
the IP address must be the same as a self IP address on the BIG-IP
system.

Verify that the Discovery setting is set to
Enabled.
If you disable the Discovery setting, or discovery
fails, you must manually configure any remote endpoints and advertised
routes.

Specify the VLANs on which the virtual servers on this system receive incoming
traffic.

Option

Description

LAN VLANs

Select the VLANs that receive incoming LAN traffic destined for the
WAN.

WAN VLANs

Select the VLANs that receive traffic from the WAN through an iSession™ connection.

Click Apply.

You have now established the local endpoint for the iSession connection, and the
system automatically created a virtual server on this endpoint for terminating incoming
iSession traffic.

To complete the iSession connection, you must also set up the local endpoint on the
BIG-IP system on the other side of the WAN. When you set up the other local endpoint,
that system creates a virtual server for terminating traffic sent from this BIG-IP
system.

Implementation results

The central and remote BIG-IP devices are configured symmetrically to accelerate HTTP
traffic.